JDeveloper and Virtual Private Database(VPD) Help Needed - JDeveloper and ADF

A vpd allows different users to log into a system and retrieve
information commensurate with their security role. We would like
to use JDeveloper to build a JSP application running off an
oracle database(8.1.7) with a VPD.
Is there a way we can use the jbo datatags to allow different
users to log into the application. this would effect the
jbo:application tags as well as the business components which
are tied to a particular connection.
Any help is greatly appreciated :)

Related

Security in an BC4J application

Hey,
we built an application in a 3 tier architecture with BC4J and deployed this as an EJB on an OC4J (standalone).
At this point we want to make our application more secure. On the application level, we helped us with the standard J2EE security mechanism (EJB security, method access etc).
On the view level we want to implement "database like" security. For example an admin is logged in and for him it is allowed to see all datas and change all datas. But a normal user only see some datas and can only update a few of them.
We found out that a view object is not secured at all. When the user has access rights to the main application module, he can traverse through all child application modules and use any of the view objects that are provided by them. He can operate on the view objects independent from the user who is logged in.
Is there a standard to implement view-level security? Is there any possibility to do this in a declarative manner? Doing this in the client would offend the n-tier principals. We think that this is a server task.
Otherwise someone can write a client which is able to use any view that is provided by an application module and its childs.
Versions:
JDeveloper: 9.0.4.0.0 (Build 1347)
OC4J: Oracle Application Server Containers for J2EE 10g (9.0.4.0.0)
Regards
C. Diemer 
I would also like to hear any ideas on this question. We intend to implement roles in our application. Some roles will allow full access (read/write), some can only read, and some cannot read or write. It looks like we will have to implement this security in the web tier, but ideally we would like to have it in the business tier, securing the view objects themselves.
Using:
JDeveloper 10.0.5.2
No specific app server, but we are interested in any solutions, even if they are app server specific. 
sorry, typo there.. Meant version 9.0.5.2. 
We currently have a very clumsy way of doing this and would also appreciate some insight on how to accomplish protecting view objects (or entity objects) based on Database users or roles.
Currently, we are simply querying the current logged in user (logged in using dynamic JDBC credentials) to see if they have a specified role (we have four different roles for our app). If that query returns results we can make descisions on what content to display. Like I said, sloppy but it works! 
Hi,
You could use Oracle JAAS application security with BC4J. This feature is supported since 9.0.4. If you are using 9.0.5, go to help doc title "Implementing Security in Oracle ADF business Component".
You can define read/update/update_while_new on entity columns based on application roles. See the section "Restricting Access to Database Tables".
Basically just goto Help tab, Full text search on 'Security' or 'JAAS'.
If you have 9.0.4, goto Help Navigator,"Working with Security in BC4J", under section "Developing Business Component"
Thanks,
Yvonne 
If you are using >= Oracle 8.1 database you can use the Virtual Private Database feature (VPD, fine grained access control).
Have a look at
- http://govt.oracle.com/~tkyte/article2/
- http://otn.oracle.com/products/jdev/howtos/bc4j/bc4jvpdjaas.html
regards, Markus 
C. Diemer,
I have a whitepaper for review that explains how you can use J2EE secruity roles to make the view dependent from teh user's role memberships. Basically this paper explains how to use and modify Struts tag libraries to make this happen. The paper should be on OTN within the next two weeks.
Using VPD to protect data is a good idea and worth to follow. Using JAAS, compared to J2EE security, is a completely different model that allows to protect attribute sfor read, write and update but doesn't have an impact to how the view renders the secured information.
Frank

OC4J Security

Hi,
I am using OC4J to set up a basic authentication mode (using security constraints in web.xml) with an LDAP server and everything is working fine.
In the application i am retrieving the logged user name by using the API:
request.getUserPrincipal().getName()
is it somehow possible to retrieve the logged user's role, i need it to set up the JSP page (i.e buttons etc. according to the logged user's role)
Thanks,
Rocky 
Hi,
I am using OC4J to set up a basic authentication
mode (using security constraints in web.xml) with an
LDAP server and everything is working fine.
In the application i am retrieving the logged user
name by using the API:
request.getUserPrincipal().getName()
is it somehow possible to retrieve the logged user's
role, i need it to set up the JSP page (i.e buttons
etc. according to the logged user's role)
Thanks,
RockyNot that I know of -- this is standard Servlet API stuff and I don't recall seeing any form of extension we've provided.
You can check to see if the user is in a specific role using the boolean request.isUserInRole(String role) method.
It's kind of ugly but using it you should be able to build up a little helper on your own to handle this problem and perform the check you need to do and determine what role the user is in based on your known set of logical roles.
-steve-
J2EE specification lacks several generic security services. Many people have stated that there are five generic security services that almost every web-apps use:
1) Authentication
2) Authorization
3) Registeration (i.e. adding new users)
4) Administration (e.g. change password)
5) Deletion
J2EE has features to handle authentication (e.g. basic, form, etc.).
Authorization is very limited in J2EE. AS Steve has stated, the boolean request.isUserInRole(String role) method is probably the only option.
I think you will need to write custom code to handle these security services. One possible option is to use JAAS.
I am looking for information on how to implement these five generic services using Oracle's JAAS (JAZN). However, most documentation are not very obvious to me.
Does anyone have references on how Oracle's JAAS (JAZN) works with these five generic security services?
Thanks.
Peace,
T 
JAAS (and by consequence JAZN-LDAP) covers only authentication and authorization.
For managing user accounts, you must update the LDAP using either DAS or a tool like ldapadd.
I think it might be possible to create users using JNDI but I have never tested this with OID.
Regards.
Robin 
Robin,
Isn't the JAZN has Java APIs that allow the developers to use with their web-app?
It would be cool if Oracle, Java Specs, or any J2EE container firms can provide these five generic security services.
Currently, every application has custom code to implement these basic generic security services.
Hai,
OC4J Security -
What stands for OC4J?
Actually this security has used for
applicaion side/ database side
After going through some documents,
I believe that it will be used for Application side.
In this Not much effective security provided.
we can adopt through script.
if it is ok, how we will make / describe it.
Need clear information - Kindly inform.
mkthamaraiselvan#yahoo.com
With cheers from..
M.K.Thamaraiselvan. 
Hai,
OC4J Security -
What stands for OC4J?
Actually this security has used for
applicaion side/ database side
After going through some documents,
I believe that it will be used for Application side.
In this Not much effective security provided.
we can adopt through script.
if it is ok, how we will make / describe it.
Need clear information - Kindly inform.
mkthamaraiselvan#yahoo.com
With cheers from..
M.K.Thamaraiselvan.

Authorisation: controlling access to objects/data

Hi all,
I am looking for some pointers to design patterns that deal with authorisation.
The issue at hand is the following: for an enterprise application we need to implement a mechanism that manages user-access to certain data. Example: if a user asks for sales-figures, only the data that he/she is allowed to see (e.g. based on office) should be included in the result.
The question that we asks ourselves is: do we set up a separate authorisation manager (sessionbean) that includes all the business logic to restrict user-access, or do we make the specific objects (entity beans) responsible for this.
The latter solution would take the form of: entitybean Office, getSalesFigures(Year, User) method; based on the User object access is granted or not. The method will return 0 if the user has no access.
Feedback is appreciated.
Regards,
Jaap 
Hi,
The Composite View pattern http://java.sun.com/blueprints/corej2eepatterns/Patterns/CompositeView.html
has some discussion about applying security based on user roles.
Also the Intercepting Filter pattern
http://java.sun.com/blueprints/corej2eepatterns/Patterns/InterceptingFilter.html
can be used to apply security checks. The Java petstore applies this pattern for self-registration of users, and this is explained in more detail at
http://java.sun.com/blueprints/patterns/InterceptingFilter.html which includes an explantion of the pattern being applied, and also a link the details of its implementation at
http://java.sun.com/blueprints/guidelines/designing_enterprise_applications_2e/sample-app/sample-app1.3.1a3.html#wp1065478
These should give you a good starting point for designing role based security. The petstore used a seperate module for security because it was allowing self-registration of users. If your application does not allow users to create and manage their own user accounts(like yahoo mail etc) and instead all accounts are set up administratively(someone in the company sets up each user account), then the J2EE platform may provide the capabilities you require and you may not need to write a separate module.
The J2EE programming model also has a lot of support for role based security. So you may be able to leverage the J2EE environment to do much of the work for you. The J2EE security model is described in the security chapter of the BluePrints book at
http://java.sun.com/blueprints/guidelines/designing_enterprise_applications_2e/index.html
hope that helps,
Sean 
I feel your pain. Unfortunately the J2EE spec has no concept of instance based security (something that would allow you to accomplish your goal very easily). Most applications that require instance based security have to build that into the application - not a very good or reusable approach. We first hit this problem several years ago on a project for Alamo. Our solution was to develop a security server that took care of the instance based security. We have since used this security server on several other projects. If you would like more information on how we implemented the security server or instance based security in general, send may an email (mbz at urbancode.com).
--Maciej
www.urbancode.com 
not sure if relevant,
The JavaTM Authentication and Authorization Service (JAAS) is a package that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.
I am familiar with JAAS, but it simply does not provide an answer to instance based authorization. Java security is great if you want to know whether one user is able to create orders and another users is able to only view orders. Unfortunately, in most real world applications that is not the important question since all users can create and view orders. The important question is whether a specific user (Mary) can view a specific order (an order placed by Jack). JAAS has no support for answering that question. 
this is something that our company has been struggling with for quite some time. if your code is being executed through an application server of some kind (JBoss for us), there is some support out there for the JCA specification. JCA allows for the application server to cache the username/password from JAAS and try and use it to connect to you DB. this spec is a part of j2ee 1.3, and each application server implements it differently (if at all). from there it's dependent on your database security to limit user A from viewing user B's order's.
again, there is support for JCA in most application servers, and most database servers have the ability to limit viewing of content based on who is logged in.
we're currently investigating JCA with jboss 3.0, and haven't got it functioning yet, but it looks very promising! let me know if you have any questions. 
incase anyone is interested, here's a link to the thread that i started when we started having these same questions:
http://forum.java.sun.com/thread.jsp?thread=255252&forum=92&message=991345
hopefully this will help someone else out there! 
I like the word "pain".
We are looking into replacing our current application with a J2EE platform. I read through the Sun J2EE Tutorial, I do not see anywhere the possibility of supporting object-level access control.
We can not use entity beans because cmp circumvent any security and bmp is awkward and leaky. My current thought is that we'll try the JDO approach to persist object ourselves, and do access control there.
I do not know if any of the J2EE vendors have any extension that we can use.
What a shame ! A simple thing turned into a major problem !
Please send me anything on how you solved this problem. 
Hello,
I also had a look on JAAS and found this article: Extend JAAS for class instance-level authorization
http://www-106.ibm.com/developerworks/java/library/j-jaas/
Currently I did not try it, but I think this this could give a hint.
Regards
chris

Oracle's Temporary Table Use/Session Management

I'm wondering about the session management that the JSQL services use. We have an app that uses a standard Oracle user but we manage the users via the application. We are using the temporary table feature in Oracle as it allows for session specific data to be created, read, etc for that single session.
Is there a way for me to force each new web user into it's own session (that will span across multiple XSQL pages) so that we can continue to use this functionality.
Thanks. 
Not using the built-in connection manager, but the latest versions of the XSQL Pages framework allow you to provide your own implementation of a connection manager that could be a custom implementation like this. 
I have the latest versions - do you have an example? Thanks for the reply.

Oracle Applications with Struts declaritive security?

Hi,
I was wondering if there were any best practices out there that dictate the best way to write a Struts web application that interfaces with Oracle Applications 11i.
I know that in Oracle Applications you can define "responsibilities", and tie these responsibilities to certain menu items, or functions. This role/responsibility information is stored on the database, and I have heard there is an API(PL/SQL??) to access it.
However, if you wanted to follow the best practice of declarative security (i.e. putting user roles and what they can access in a file such as web.xml), it seems like this wouldn't fit in with the way Oracle Applications is doing things.
How have people in the past integrated security into their web apps, when the users, passwords, and responsibilities are set and stored by Oracle Applications(11i)?
It would probably be a bad practice to dynamically rebuild the web.xml file everytime a role was added or modified in Oracle Applications. I want a good way of avoiding programmatic security, while at the same time maintaining centralized security.
Any ideas would be great!
Thanks

Categories

Resources